Thursday, April 16, 2015

Feds have backdoors, now they want front doors too????

The governments around the world are really putting up scarey stories about the terrorists that got away, the child porn dealers, the sex traffic trade, the drug trade...  And all of those "criminals" that are getting away because of encryption... I am going to say it now... BS! BS! BS! BS!

First off what did law enforcement do before they had access to everything we now say, do, places we go, and the things we participate in?  All without warrants and completely illegally?  That is right, they had to hit the ground, they had to actually investigate, they had to actually find evidence in the real world of wrong doing, and hopefully they had to do it using a due process of law that says your innocent until PROVEN guilty and that you had to have probable cause before you rifled through a persons bank records, email, phone calls, and your location data.... I mean seriously.  Technology not only has made people LAZY, but also appears to give them permission to act LAWLESSLY!  Every day now it seems like we here another story about law enforcement listening in on calls, rifling through your life, car, and personal belongings and no probable cause.  Now we get this BS story... I am ready to PUKE!

Feds want to violate your privacy and security

Now the Feds are demanding not just a back door into our systems which after the Snowden revelations it is clear they already have that...  But now they want a front door... to quote them.  Check out the article and ponder on it for a bit.  Let me just clue you in that if you back any of your data up to the cloud, or anything is synced off of your devices externally... If it isn't encrypted it is already being handed over to the Feds...  So they can cry me a river about IOS 6 encryption etc... but is is all smoke and mirrors... 

I frankly think it is time to start saving copies of PGP and SSH everywhere and start thinking about a soon to come world where it is illegal to have any rights at all... Just sayin...

My next installment if I get some time I would like to talk about the Trusted Platform Module and why I think this is flawed.

In the mean time apply those patches, shutdown those un-used services... And think hard about using encryption.

Comptia Security + testing

Yesterday I took the Comptia Security + test.  I passed the exam with a an 867 out of a possible 900 score.  I have been working on this for over a month of watching videos, reading books, and taking practice tests and I can tell you that if I hadn't had access to multiple reference sources there is no way I feel that I would have passed this test.

The test itself is very vaguely worded, misleading, and very challenging.  On occasions your left to guess what they are referring to and make a best guess with the info you have been provided at the possible answers.  I can say that the test prep materials will get you the basic information for the test, but you will be left to dig for the type of detail they are wanting on the test.  Some questions might look similar to what you might see on the test, but you really need to pound this material into your head and do a lot of internet searches to get enough detail to help pull enough of it together to get you through this test.

I will tell you I expected the test to look a lot like the practice exams that I had been taking and it really wasn't like that and it had me pretty worried.  It is a HARD test and I feel fortunate I could spend the time to study this so hard and get as much as I could in my head.

My advise to anyone wanting to take the test is to use as many sources of reference materials as you can get.  Of course ask around and look at online reviews of the best materials to get.  I used CBT Nuggets videos, Comptia Cert Guide for SY0-401 with practice exams, and I purchased some other practice exam test prep materials.  I spend a lot of time using Start Page to chase down the info I didn't understand or I thought the book and materials were wrong.  There are a lot of mistakes in the training materials and practice exams so double check it all for yourself.   They could cost you some test questions.

Is the Comptia Security + cert worth it?  Well I can say that if your interested in a security oriented job this is a good crash course start to get the overview of how the technology works.  Non-specific, non-vendor oriented.  If your foggy or unclear about how security in the digital world works this will help pull it together and clarify things for you.  This is a good foundation to start from.

If your just taking this exam for a cert and will forget it as soon as your done taking the test and won't be really working in security or technology implementations where you have a security focus then you may just be wasting your time.   I know many DOD and government contractors need this cert for the jobs as a requirement.  I think it is good to have security awareness however I know folks that as soon as they take this test they just dump it and don't worry about it until they have to recertify in 3 years.  I know it is required for those folks to have this cert, but there is a reason.  It really needs to be the foundation of how we handle our systems, networks, and data.  I don't however think this test is a good example of how to demonstrate that.  If I couldn't come up with a better test than this I am not sure I would have published this cert... Just saying. 

Now all that said... Security is hot, this is a good place to start.

Wednesday, April 8, 2015

$25 million fine - really? 280k Customers data exposed due to AT&T negligence

AT&T made more than that in the time that it took me to post this... What JOKE!  Look at what they allowed to happen, and the impact... Your social's, and payment menthods compromised due to clear negligence.

Who else thinks that the fines need to be STIFF, and the compensation to customers should be extensive?

280k customers exposed in AT&T negligence

Biometrics - To catch a spy

Just read this interesting article about biometrics making it hard for those in the spy agencies to go undetected and to go un-noticed.  It really drove home the need for multifactor authentication in our systems and networks.  In order to secure our networks and our systems we need more information about those that require access and to ensure that several forms of identification are provided that cannot be easily forged, copied, or otherwise stolen for the purposes of entry. 

Of course this does nothing if the system itself is compromised either through poor design, lax administration, or flaws in the software and devices themselves that allow security to be circumvented.   Or worse yet large persistent and well funded and connected entities have created their own back doors so that they have access.  None of these really can be addressed by biometrics directly with the current control mechanisms we have today.

I thought this article made some interesting points, however the idea that every person walking down a street, into a building, or using any kind of transportation will be scanned, identified, and monitored is really just creepy.  I long for the days where there needed to be probable cause before you could rifle though peoples lives and track their every move.  It is one thing when a person is entering into a "controlled area", but the entire world outside of my home is NOT a "controlled area" where this level of identification, authorization, and accounting is needed....  We very quickly become a prison state if we continue down this path. 

I believe the internet needs to be treated the same way.  If your in a "public" area then who you are and what your doing is none of my business unless we have probable cause to suspect your up to something.  The bar needs to be set high before we start tracking and monitoring.  However once you log into someone else's network either as a customer or as a user of their services then you will have to consent to being monitored and granted access to the services or areas you are interested.   It is in the best interest of the company or service provider to ensure that their systems stay secure and that your only given access to the things you have a need to access. 

So there needs to be a differentiation between what is public and what is private, and the grounds in which someone can or should be required to identify themselves and to be monitored.  I think in the case where someone is required to provide identification that biometrics makes sense... Something you have, something you know, and something you are...  Ensure you know who is accessing your network and what they have access to.

Here is the article that talks about this topic...
Biometrics - To Catch a Spy

Wednesday, April 1, 2015

NSA tells public to reduce the use of passive voice in email....

NSA Tells Public To Reduce Use of Passive Voice In Email

Both style and national security are impacted by the use of passive voice, the NSA said today. Having spent many billions of taxpayer dollars to capture all private electronic communication, the agency is frustrated that poor writing habits are making this data difficult to analyze. "We strongly prefer short declarative sentences where the actor is clearly identified," said an NSA spokesperson. "Instead of writing, 'The protest will be attended by many activists,' it would be better to write, 'Known dissidents Amy Goodman, Laura Poitras, and Glenn Greenwald will travel by bus to the protest in Washington Square Park, New York, and will arrive at approximately 1:04 p.m. on April 1st, 2015.'" The NSA further suggested that instead of composing private email, citizens could instead fill out a webform at or travel to Bluffdale, Utah and share all of their most private secrets with the NSA in person.

It is hard to laugh at these April 1st "jokes" when we talk about the NSA anymore...  Just sayin...